Debian Bug report logs - #309504
CAN-2005-1519: DNS Spoofing

version graph

Package: squid; Maintainer for squid is Luigi Gangitano <luigi@debian.org>; Source for squid is src:squid3 (PTS, buildd, popcon).

Reported by: Martin Pitt <mpitt@debian.org>

Date: Tue, 17 May 2005 17:18:05 UTC

Severity: grave

Tags: patch, security, woody

Found in versions 2.5.9-8, 2.4.6-2woody1

Fixed in versions 2.5.9-9, 2.4.6-2woody9

Done: Luigi Gangitano <luigi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#309504; Package squid. (full text, mbox, link).

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
New Bug report received and forwarded. Copy sent to Luigi Gangitano <luigi@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: team@security.debian.org
Subject: CAN-2005-1519: DNS Spoofing
Date: Tue, 17 May 2005 19:06:32 +0200
[Message part 1 (text/plain, inline)]
Package: squid
Version: 2.5.9-8
Severity: grave
Tags: security patch
Justification: user security hole

Hi!

CAN-2005-1519 is not yet fixed in Debian, see

  http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query

for details. I prepared an Ubuntu Breezy update which applies to
Sid/Sarge as well:

  http://patches.ubuntu.com/patches/squid.CAN-2005-1519.diff

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages squid depends on:
ii  adduser                     3.63         Add and remove users and groups
ii  coreutils                   5.2.1-2      The GNU core utilities
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an
ii  libldap2                    2.1.30-6     OpenLDAP libraries
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  logrotate                   3.7-2        Log rotation utility
ii  netbase                     4.21         Basic TCP/IP networking system
pn  squid-common                             Not found.

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Tags added: woody Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#309504; Package squid. (full text, mbox, link).

Acknowledgement sent to Luigi Gangitano <luigi@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).

Message #12 received at 309504@bugs.debian.org (full text, mbox, reply):

From: Luigi Gangitano <luigi@debian.org>
To: 309504@bugs.debian.org, Martin Pitt <mpitt@debian.org>
Cc: team@security.debian.org
Subject: Re: Bug#309504: CAN-2005-1519: DNS Spoofing
Date: Wed, 18 May 2005 00:41:12 +0200
[Message part 1 (text/plain, inline)]
> CAN-2005-1519 is not yet fixed in Debian, see
> 
>   http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query
> 
> for details. I prepared an Ubuntu Breezy update which applies to
> Sid/Sarge as well:
> 
>   http://patches.ubuntu.com/patches/squid.CAN-2005-1519.diff

CAN-2005-1519 has been fixed in squid-2.5.9-9, which is already in
sarge. There's no reference in the changelog since there was no CAN id
available at upload time.

A fix for woody is in the works.

Regards,

-- 
 Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26

[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 2.4.6-2woody1. Request was from Luigi Gangitano <luigi@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 2.5.9-9, send any further explanations to Martin Pitt <mpitt@debian.org> Request was from Luigi Gangitano <luigi@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 2.4.6-2woody9, send any further explanations to Martin Pitt <mpitt@debian.org> Request was from Luigi Gangitano <luigi@debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 10:00:12 GMT) (full text, mbox, link).

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:46:10 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:31:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 11 12:08:18 2017; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.